A law enforcement operation is rumored to be behind an outage affecting ALPHV ransomware gang’s websites over the last 30 hours.
The ALPHV (aka BlackCat) negotiation and data leak sites suddenly became unavailable yesterday and continue to remain down today.
BleepingComputer has also confirmed that unique Tor negotiation URLs shared with victims in ransom notes are also down, indicating a disruption to the ransomware gang’s public-facing infrastructure and a halt to ongoing negotiations.
Source: BleepingComputer
When questioned yesterday about the disruption, the Admin for ALPHV told BleepingComputer that the sites may be back online soon.
That was 20 hours ago, and the sites continue to remain down at this time.
The Tox status for the Admin claims that the operation is repairing their servers but they have not answered questions about what happened.
Source: BleepingComputer
However, BleepingComputer suspects that the ransomware gang may have suffered potential law enforcement action after their recent activities, which was also hinted at by others.
“Hearing wild (and strong) rumours that ALPHV/Blackcat has been paid a visit by the FBI,” reads a tweet by someone named Evangelos G.
Friday afternoon, cybersecurity firm RedSense Intel also confirmed to BleepingComputer that the servers were shut down due to a law enforcement action.
“Today, RedSense can confirm that ALPHV aka BlackCat ransomware gang’s site has been taken down by law enforcement,” RedSense also shared in a tweet on X.
BleepingComputer has not been able to independently confirm whether the FBI breached ALPHV’s servers and they declined to comment when asked about the outages.
However, similar disruptions were seen in the past due to law enforcement operations.
For example, when the FBI breached REvil’s servers, they obtained the decryption keys for the victims of the Kaseya ransomware attack.
Similarly, the FBI hacked Hive’s infrastructure, secretly obtaining decryption keys and disseminating them to victims.
Are you a ALPHV affiliate or someone with information about ALPHV’s website outages? If you want to share the information, you can contact us securely on Signal at +1 (646) 961-3731, via email at tips@bleepingcomputer.com, or using our tips form.
A rebrand in the making
The ALPHV/BlackCat ransomware operation is believed to be a rebrand of the DarkSide gang. The operation launched in 2020 and quickly rose to prominence over the next year.
However, after attacking the Colonial Pipeline, the ransomware gang faced intense scrutiny by the US government and international law enforcement, ultimately leading to the seizure of their infrastructure and the operation shutting down.
Only a few months later, the ransomware gang returned, this time under the name BlackMatter. However, the managers of this operation claimed in an interview that they were affiliates of the DarkSide operation and not the original leaders.
Only a short four months later, BlackMatter shut down its operation in November 2021 after claiming to be under pressure from law enforcement.
In February 2022, the ransomware gang returned again, this time under the name ALPHV, also known as BlackCat due to an image used on their Tor negotiation sites.
While this rebrand started out like most ransomware gangs, targeting companies in extortion attacks worldwide, they have expanded their operations by partnering with English-speaking affiliates and targeting critical infrastructure, such as hospitals and water suppliers.
Due to this, it was only a matter of time until they again felt the scrutiny of law enforcement, whether it be this disruption or a future one.
Update 12/8/23: Added further public confirmations that the shutdown of servers is related to law enforcement action.
Source: www.bleepingcomputer.com